- 04 7月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
The user timer tu->qused counter may go to a negative value when multiple concurrent reads are performed since both the check and the decrement of tu->qused are done in two individual locked contexts. This results in bogus read outs, and the endless loop in the user-space side. The fix is to move the decrement of the tu->qused counter into the same spinlock context as the zero-check of the counter. Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 08 5月, 2016 3 次提交
-
-
由 Kangjie Lu 提交于
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: NKangjie Lu <kjlu@gatech.edu> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Kangjie Lu 提交于
The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: NKangjie Lu <kjlu@gatech.edu> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Kangjie Lu 提交于
The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: NKangjie Lu <kjlu@gatech.edu> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 25 4月, 2016 1 次提交
-
-
由 Alexandre Belloni 提交于
There are no users of rtctimer left. Remove its code as this is the in-kernel user of the legacy PC RTC driver that will hopefully be removed at some point. Signed-off-by: NAlexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 01 4月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
ALSA system timer backend stops the timer via del_timer() without sync and leaves del_timer_sync() at the close instead. This is because of the restriction by the design of ALSA timer: namely, the stop callback may be called from the timer handler, and calling the sync shall lead to a hangup. However, this also triggers a kernel BUG() when the timer is rearmed immediately after stopping without sync: kernel BUG at kernel/time/timer.c:966! Call Trace: <IRQ> [<ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0 [<ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0 [<ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290 [<ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120 [<ffffffff81296b72>] call_timer_fn+0x162/0x520 [<ffffffff81296add>] ? call_timer_fn+0xcd/0x520 [<ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0 .... It's the place where add_timer() checks the pending timer. It's clear that this may happen after the immediate restart without sync in our cases. So, the workaround here is just to use mod_timer() instead of add_timer(). This looks like a band-aid fix, but it's a right move, as snd_timer_interrupt() takes care of the continuous rearm of timer. Reported-by: NJiri Slaby <jslaby@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 23 3月, 2016 1 次提交
-
-
由 Takashi Sakamoto 提交于
'struct snd_timer_gparams' includes some members with 'unsigned long', therefore its size differs depending on data models of architecture. As a result, x86/x32 applications fail to execute ioctl(2) with SNDRV_TIMER_GPARAMS command on x86_64 machine. This commit fixes this bug by adding a pair of structure and ioctl command for the compatibility. Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 12 2月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
snd_timer_notify1() is called outside the spinlock and it retakes the lock after the unlock. This is rather racy, and it's safer to move snd_timer_notify() call inside the main spinlock. The patch also contains a slight refactoring / cleanup of the code. Now all start/stop/continue/pause look more symmetric and a bit better readable. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 10 2月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
In order to make the open/close more robust, widen the register_mutex protection over the whole snd_timer_close() function. Also, the close procedure is slightly shuffled to be in the safer order, as well as a few code refactoring. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 09 2月, 2016 3 次提交
-
-
由 Takashi Iwai 提交于
snd_timer_user_read() has a potential race among parallel reads, as qhead and qused are updated outside the critical section due to copy_to_user() calls. Move them into the critical section, and also sanitize the relevant code a bit. Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
A slave timer element also unlinks at snd_timer_stop() but it takes only slave_active_lock. When a slave is assigned to a master, however, this may become a race against the master's interrupt handling, eventually resulting in a list corruption. The actual bug could be seen with a syzkaller fuzzer test case in BugLink below. As a fix, we need to take timeri->timer->lock when timer isn't NULL, i.e. assigned to a master, while the assignment to a master itself is protected by slave_active_lock. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
In snd_timer_notify1(), the wrong timer instance was passed for slave ccallback function. This leads to the access to the wrong data when an incompatible master is handled (e.g. the master is the sequencer timer and the slave is a user timer), as spotted by syzkaller fuzzer. This patch fixes that wrong assignment. BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.comReported-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 05 2月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
In ALSA timer core, the active timer instance is managed in active_list linked list. Each element is added / removed dynamically at timer start, stop and in timer interrupt. The problem is that snd_timer_interrupt() has a thinko and leaves the element in active_list when it's the last opened element. This eventually leads to list corruption or use-after-free error. This hasn't been revealed because we used to delete the list forcibly in snd_timer_stop() in the past. However, the recent fix avoids the double-stop behavior (in commit [f784beb7: ALSA: timer: Fix link corruption due to double start or stop]), and this leak hits reality. This patch fixes the link management in snd_timer_interrupt(). Now it simply unlinks no matter which stream is. BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.comReported-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 03 2月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
ALSA timer core framework has no sync point at stopping because it's called inside the spinlock. Thus we need a sync point at close for avoiding the stray timer task. This is simply done by implementing the close callback just calling del_timer_sync(). (It's harmless to call it unconditionally, as the core timer itself cares of the already deleted timer instance.) Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 01 2月, 2016 1 次提交
-
-
由 Takashi Iwai 提交于
Although ALSA timer code got hardening for races, it still causes use-after-free error. This is however rather a corrupted linked list, not actually the concurrent accesses. Namely, when timer start is triggered twice, list_add_tail() is called twice, too. This ends up with the link corruption and triggers KASAN error. The simplest fix would be replacing list_add_tail() with list_move_tail(), but fundamentally it's the problem that we don't check the double start/stop correctly. So, the right fix here is to add the proper checks to snd_timer_start() and snd_timer_stop() (and their variants). BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.comReported-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 22 1月, 2016 2 次提交
-
-
由 Takashi Iwai 提交于
Instead of the previous ugly hack, introduce a new op, disconnect, to snd_timer_instance object for handling the wake up of pending tasks more cleanly. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
Currently ALSA timer device doesn't take the disconnection into account very well; it merely unlinks the timer device at disconnection callback but does nothing else. Because of this, when an application accessing the timer device is disconnected, it may release the resource before actually closed. In most cases, it results in a warning message indicating a leftover timer instance like: ALSA: timer xxxx is busy? But basically this is an open race. This patch tries to address it. The strategy is like other ALSA devices: namely, - Manage card's refcount at each open/close - Wake up the pending tasks at disconnection - Check the shutdown flag appropriately at each possible call Note that this patch has one ugly hack to handle the wakeup of pending tasks. It'd be cleaner to introduce a new disconnect op to snd_timer_instance ops. But since it would lead to internal ABI breakage and it eventually increase my own work when backporting to stable kernels, I took a different path to implement locally in timer.c. A cleanup patch will follow at next for 4.5 kernel. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431 Cc: <stable@vger.kernel.org> # v3.15+ Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 15 1月, 2016 2 次提交
-
-
由 Takashi Iwai 提交于
This is a minor code cleanup without any functional changes: - Kill keep_flag argument from _snd_timer_stop(), as all callers pass only it false. - Remove redundant NULL check in _snd_timer_stop(). Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Reported-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 14 1月, 2016 2 次提交
-
-
由 Takashi Iwai 提交于
ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: NDmitry Vyukov <dvyukov@google.com> Tested-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
ALSA timer instance object has a couple of linked lists and they are unlinked unconditionally at snd_timer_stop(). Meanwhile snd_timer_interrupt() unlinks it, but it calls list_del() which leaves the element list itself unchanged. This ends up with unlinking twice, and it was caught by syzkaller fuzzer. The fix is to use list_del_init() variant properly there, too. Reported-by: NDmitry Vyukov <dvyukov@google.com> Tested-by: NDmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 28 5月, 2015 1 次提交
-
-
由 Jie Yang 提交于
We may disable proc fs only for sound part, to reduce ALSA memory footprint. So add CONFIG_SND_PROC_FS and replace the old CONFIG_PROC_FSs in alsa code. With sound proc fs disabled, we can save about 9KB memory size on X86_64 platform. Signed-off-by: NJie Yang <yang.jie@intel.com> Reviewed-by: NMark Brown <broonie@kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 10 3月, 2015 1 次提交
-
-
由 Takashi Iwai 提交于
The kernel memory allocators already report the errors when the requested allocation fails, thus we don't need to warn it again in each caller side. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 03 2月, 2015 1 次提交
-
-
由 Takashi Iwai 提交于
Now that all callers have been replaced with snd_device_register_for_dev(), let's drop the obsolete device registration code and concentrate only on the code handling struct device directly. That said, - remove the old snd_device_register(), - rename snd_device_register_for_dev() with snd_device_register(), - drop superfluous arguments from snd_device_register(), - change snd_unregister_device() to pass the device pointer directly Reviewed-by: NJaroslav Kysela <perex@perex.cz> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 02 2月, 2015 2 次提交
-
-
由 Takashi Iwai 提交于
This is a relatively straightforward change, using the struct device directly for managing the ALSA timer device. Reviewed-by: NJaroslav Kysela <perex@perex.cz> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
... instead of just printing errors. Reviewed-by: NJaroslav Kysela <perex@perex.cz> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 19 1月, 2015 1 次提交
-
-
由 Takashi Iwai 提交于
No functional change, refactoring with the standard helpers. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 12 6月, 2014 1 次提交
-
-
由 Thomas Gleixner 提交于
do_posix_clock_monotonic_gettime() is a leftover from the initial posix timer implementation which maps to ktime_get_ts(). Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 14 2月, 2014 1 次提交
-
-
由 Takashi Iwai 提交于
Use the standard pr_xxx() helpers instead of home-baked snd_print*(). Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 10 2月, 2014 1 次提交
-
-
由 Takashi Iwai 提交于
Replace the lengthy #if defined(XXX) || defined(XXX_MODULE) with the new IS_ENABLED() macro. The patch still doesn't cover all ifdefs. For example, the dependency on CONFIG_GAMEPORT is still open-coded because this also has an extra dependency on MODULE. Similarly, an open-coded ifdef in pcm_oss.c and some sequencer-related stuff are left untouched. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 12 3月, 2012 1 次提交
-
-
由 Paul Gortmaker 提交于
For files that are actively using linux/device.h, make sure that they call it out. This will allow us to clean up some of the implicit uses of linux/device.h within include/* without introducing build regressions. Yes, this was created by "cheating" -- i.e. the headers were cleaned up, and then the fallout was found and fixed, and then the two commits were reordered. This ensures we don't introduce build regressions into the git history. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
- 01 11月, 2011 1 次提交
-
-
由 Paul Gortmaker 提交于
The implicit presence of module.h lured several users into incorrectly thinking that they only needed/used modparam.h but once we clean up the module.h presence, these will show up as build failures, so fix 'em now. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
- 08 8月, 2011 2 次提交
-
-
由 Takashi Iwai 提交于
Just to be sure. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
由 Takashi Iwai 提交于
A slave-timer instance has no timer reference, and this results in NULL-dereference at stopping the timer, typically called at closing the device. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=40682 Cc: <stable@kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 17 3月, 2011 1 次提交
-
-
由 Nicolas Kaiser 提交于
Merge list_del() + list_add_tail() to list_move_tail(). Signed-off-by: NNicolas Kaiser <nikai@nikai.net> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 24 11月, 2010 1 次提交
-
-
由 Kay Sievers 提交于
If CONFIG_SND_DYNAMIC_MINORS is used, assign /dev/snd/seq and /dev/snd/timer the usual static minors, and export specific module aliases to generate udev module on-demand loading instructions: $ cat /lib/modules/2.6.33.4-smp/modules.devname # Device nodes to trigger on-demand module loading. microcode cpu/microcode c10:184 fuse fuse c10:229 ppp_generic ppp c108:0 tun net/tun c10:200 uinput uinput c10:223 dm_mod mapper/control c10:236 snd_timer snd/timer c116:33 snd_seq snd/seq c116:1 The last two lines instruct udev to create device nodes, even when the modules are not loaded at that time. As soon as userspace accesses any of these nodes, the in-kernel module-loader will load the module, and the device can be used. The header file minor calculation needed to be simplified to make __stringify() (supports only two indirections) in the MODULE_ALIAS macro work. This is part of systemd's effort to get rid of unconditional module load instructions and needless init scripts. Cc: Lennart Poettering <lennart@poettering.net> Signed-off-by: NKay Sievers <kay.sievers@vrfy.org> Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 22 11月, 2010 1 次提交
-
-
由 Clemens Ladisch 提交于
Increase the default timer limit so that snd-hrtimer.ko can be automatically loaded when needed, e.g., when used as the default sequencer timer. This replaces the check for the obsolete CONFIG_SND_HPET. Signed-off-by: NClemens Ladisch <clemens@ladisch.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 05 5月, 2010 1 次提交
-
-
由 Dan Carpenter 提交于
We should disable irqs when we take the tu->qlock because it is used in the irq handler. The only place that doesn't is snd_timer_user_ccallback(). Most of the time snd_timer_user_ccallback() is called with interrupts disabled but the the first ti->ccallback() call in snd_timer_notify1() has interrupts enabled. This was caught by lockdep which generates the following message: > ================================= > [ INFO: inconsistent lock state ] > 2.6.34-rc5 #5 > --------------------------------- > inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. > dolphin/4003 [HC1[1]:SC0[0]:HE0:SE1] takes: > (&(&tu->qlock)->rlock){?.+...}, at: [<f84ec472>] snd_timer_user_tinterrupt+0x28/0x132 [snd_timer] > {HARDIRQ-ON-W} state was registered at: > [<c1048de9>] __lock_acquire+0x654/0x1482 > [<c1049c73>] lock_acquire+0x5c/0x73 > [<c125ac3e>] _raw_spin_lock+0x25/0x34 > [<f84ec370>] snd_timer_user_ccallback+0x55/0x95 [snd_timer] > [<f84ecc4b>] snd_timer_notify1+0x53/0xca [snd_timer] Reported-by: NStefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: NDan Carpenter <error27@gmail.com> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 13 4月, 2010 1 次提交
-
-
由 Takashi Iwai 提交于
Set no_llseek to llseek file ops of each sound component (but for hwdep). This avoids the implicit BKL invocation via generic_file_llseek() used as default when fops.llseek is NULL. Also call nonseekable_open() at each open ops to ensure the file flags have no seek bit. Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
- 04 3月, 2010 1 次提交
-
-
由 Jaroslav Kysela 提交于
Do not use hardcoded SNDRV_TIMER_EVENT_START value. Signed-off-by: NJaroslav Kysela <perex@perex.cz> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-